Whitelist by ASNNumber

Hi,

I’m having a hard time figuring out how to whitelist events from specific ASNNumber.

I created a postoverflow whitelist in /etc/crowdsec/postoverflows/s01-whitelist/zz-whitelist-AS.yaml and tried various expressions without success.

Here are the ones that pass the compilation, but the ASNumber seems to be empty at runtime:

name: zz-whitelist-AS
description: Whitelist some AS
debug: true
whitelist:
  reason: Whitelisted AS
  expression:
    - evt.Enriched.ASNNumber in [3215, 15557, 12322, 5410] 
    - evt.Meta.ASNNumber in [3215, 15557, 12322, 5410]
    - evt.Overflow.Sources.AsNumber in [3215, 15557, 12322, 5410]

Here is the debug output from theses expressions:

  • evt.Enriched.ASNumberlevel=debug msg=" evt.Enriched.ASNNumber = ''"
  • evt.Meta.ASNNumbermsg=" evt.Meta.ASNNumber = ''"
  • evt.Overflow.Sources.AsNumbermsg=" evt.Overflow.Sources.AsNumber = '{ 0 0 <nil> <nil>}'"

Is it possible to whitelist events based on ASNNumber?

Thanks.

Hello @eguaj ,

You can do it by accessing the AS Number in postoverflow in evt.Overflow.Alert.Source.AsNumber .

Hope it helps!

1 Like

Thank you, it works!

I also had to change the AS numbers to strings (i.e. '3215' instead of 3215`):

name: zz-whitelist-AS
description: Whitelist some AS
debug: true
whitelist:
  reason: Whitelisted AS
  expression:
    - evt.Overflow.Alert.Source.AsNumber in ['3215', '15557', '12322', '5410']
2 Likes

Just wanted to thank you both for the notes and wanted to share that while I was able to make a version like this for ‘postoverflows’, it wasn’t until I made a ‘parsers’ detail that I saw explain show a ‘whitelisted’ response.

Suggested file name: /etc/crowdsec/parsers/s02-enrich/zz-whitelist.yml
File contents (ASN numbers are fake - verify what you use!):

name: homelab/ASN-whitelist
description: "Whitelist Trusted ASNs"
#debug: true
whitelist:
  reason: "Whitelisted ASN"
  expression:
    - evt.Meta.ASNumber in ['1010', '10101', '101']
    - evt.Enriched.ASNumber in ['1010', '10101', '101']